mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-22 22:45:48 +01:00
ECDSA: Fix side channel vulnerability
The blinding applied to the scalar before modular inversion is inadequate. Bignum is not constant time/constant trace, side channel attacks can retrieve the blinded value, factor it (it is smaller than RSA keys and not guaranteed to have only large prime factors). Then the key can be recovered by brute force. Reducing the blinded value makes factoring useless because the adversary can only recover pk*t+z*N instead of pk*t.
This commit is contained in:
parent
bb3d55665e
commit
6bd8c0ae2a
@ -363,6 +363,7 @@ modn:
|
|||||||
MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &e, &e, s ) );
|
MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &e, &e, s ) );
|
||||||
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &e, &e, &t ) );
|
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &e, &e, &t ) );
|
||||||
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( pk, pk, &t ) );
|
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( pk, pk, &t ) );
|
||||||
|
MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( pk, pk, &grp->N ) );
|
||||||
MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( s, pk, &grp->N ) );
|
MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( s, pk, &grp->N ) );
|
||||||
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( s, s, &e ) );
|
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( s, s, &e ) );
|
||||||
MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( s, s, &grp->N ) );
|
MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( s, s, &grp->N ) );
|
||||||
|
Loading…
Reference in New Issue
Block a user